Today we are going to talk about a novel part of the executive order – the Cyber Safety Review Board.
It turns out that the act that created the Department of Homeland Security allows DHS to create advisory boards. The EO tells DHS to create an advisory board to review major cybersecurity events. Examples might be the Colonial Pipeline attack, but, in theory, it could be any event. How is this going to work?
The EO says:
Executive Order on Improving the Nation’s Cybersecurity | The White House
The Board shall review and assess, with respect to significant cyber incidents (as defined under Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination) (PPD 41)) affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.
So, the scope would only be for attacks that affect federal computer systems (which is pretty much all major cyber attacks). Significant incidents are defined in PPD 41 as follows:
Significant cyber incident. A cyber incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
So we sort of have the scope of the board reasonably defined.
So when does the Board convene? Whenever the Secretary of Homeland Security says so. There are some caveats, but not anything meaningful. So, an event happens, it affects federal computers and it is deemed significant. That is all that it takes.
Unlike the National Transportation Safety Board, which can take a year or more to create a report, this Board only has 90 days. That is probably a good thing since you want to take action quickly.
The Board’s membership is up to DHS, but in addition to private sector peops, it needs to include the FBI, DoJ, CISA and the NSA. It is unclear from the underlying law whether this Board has subpoena power, but it seems to me that that is a critical part of things. That may require legislation. Not sure.
After the Board makes its recommendations to the Secretary of DHS, the Secretary has 30 days to make recommendations to the President.
Assuming this all gets implemented, this will be the first time in US history where we have a semi independent body reviewing major cyber attacks and providing recommendations to the President. This is a good thing.